Installing certificates

[Guest sidsmut]

Has anybody managed to get a "freebie" M$ certificate (i.e. one generated by your own Root authoirty/AD controller(s)) installed on an I-Mate SP5? I remember having trouble when I did this on my JasJar but I did get it working eventually (I didn't disable certificate checking as I recall). The problem is that neither the "old" CERTCHK utility nor adding the .cer file work (CERTCHK doesn't work on WM5 and tiy get "permission" problems when either using SPADDCERT for WM2003 or just "executing" the .cer file from the device using File Manager)

I REALLY need to get my SP5 working with secured GPRS AtiveSync direct to my Exchange server or I will be forced to revert to my SP3i. Sniff, Snif..... ;)

[Guest sidsmut]

Solved it! I found this today:-

YEEEEEEEEEEEEEEEEEEEEEEEEESSSSSSSS!!!!

I cannot tell you how relieved I am. I've finally managed to get my i-mate

SP5m WM5 Smartphone to sync with my Exchange server.

I thought I'd post this just as a more definitive guide, if you will, than

the ones I've found so far, because it took me forever and a day to find

that extra step that was required.

So, to application unlock the WM5 smartphone (and actually any other HTC

device I think), and to install the root certificate from your internal CA

(this is all assuming you have your own Windows-based Certificate Authority,

not a public certificate):

1. Go to http://www.modaco.com/INFO_Decert_SIM_Unlo...50-t222786.html.

2. Download the HTC-signed "regeditSTG.zip" and move it to your smartphone.

IMPORTANT: Put it on the phone, not on a memory card - this was my first

sticking point.

3. Extract the zip file using Explorer on the device (if it's a WM5 device).

4. Run the Regedit exe and follow the instructions on the page above for

registry changes to make. It was also suggested by a Microsofty a few posts

down to change 00001017 (4119) to 144 (in the same part of the registry),

although I'm not sure what each entry does. I did all three. :-)

5. Download SDA_ApplicationUnlock.exe from

http://www.modaco.com/Motorola_MPx220_and_...0_app_locked...,

connect the device, run this app, click "Unlock" or whatever, then restart

the device.

6. Export the root certificate from the Certificate Authority in your domain

(in DER format), copy it to the phone (again NOT the memory card) and simply

run it from Explorer. Bob's yer uncle.

In case you don;t know how to export the root cert, follow these

instructions:

1. Run MMC on the CA server.

2. File, Add/Remove Snap-in.

3. Add... select Certification Authority, and select Local Computer.

4. Finish, Close, OK.

5. In MMC, right-click the CA, select Properties. View Certificate, go to

Details tab, select Copy to File...

6. Next, make sure DER encoded binary is selected, Next, put something like

"c:\rootcert".

7. Finish and you're done. Copy it to the phone, run it and you're done.

Can't believe it took me 4 days of frustration to get that far. It also took

i-mate support just as long (as if they actually bothered reading my plea

for help! hahaha). They really do suck.

Hope this helps folks, I know there's a lot of people asking these same

questions around the place.

Many thanks to Fergus and the power of Google :idea:

[Guest pede1977]

Solved it! I found this today:-

YEEEEEEEEEEEEEEEEEEEEEEEEESSSSSSSS!!!!

I cannot tell you how relieved I am. I've finally managed to get my i-mate

SP5m WM5 Smartphone to sync with my Exchange server.

I thought I'd post this just as a more definitive guide, if you will, than

the ones I've found so far, because it took me forever and a day to find

that extra step that was required.

So, to application unlock the WM5 smartphone (and actually any other HTC

device I think), and to install the root certificate from your internal CA

(this is all assuming you have your own Windows-based Certificate Authority,

not a public certificate):

1. Go to http://www.modaco.com/INFO_Decert_SIM_Unlo...50-t222786.html.

2. Download the HTC-signed "regeditSTG.zip" and move it to your smartphone.

IMPORTANT: Put it on the phone, not on a memory card - this was my first

sticking point.

3. Extract the zip file using Explorer on the device (if it's a WM5 device).

4. Run the Regedit exe and follow the instructions on the page above for

registry changes to make. It was also suggested by a Microsofty a few posts

down to change 00001017 (4119) to 144 (in the same part of the registry),

although I'm not sure what each entry does. I did all three. :-)

5. Download SDA_ApplicationUnlock.exe from

http://www.modaco.com/Motorola_MPx220_and_...0_app_locked...,

connect the device, run this app, click "Unlock" or whatever, then restart

the device.

6. Export the root certificate from the Certificate Authority in your domain

(in DER format), copy it to the phone (again NOT the memory card) and simply

run it from Explorer. Bob's yer uncle.

In case you don;t know how to export the root cert, follow these

instructions:

1. Run MMC on the CA server.

2. File, Add/Remove Snap-in.

3. Add... select Certification Authority, and select Local Computer.

4. Finish, Close, OK.

5. In MMC, right-click the CA, select Properties. View Certificate, go to

Details tab, select Copy to File...

6. Next, make sure DER encoded binary is selected, Next, put something like

"c:\rootcert".

7. Finish and you're done. Copy it to the phone, run it and you're done.

Can't believe it took me 4 days of frustration to get that far. It also took

i-mate support just as long (as if they actually bothered reading my plea

for help! hahaha). They really do suck.

Hope this helps folks, I know there's a lot of people asking these same

questions around the place.

Many thanks to Fergus and the power of Google  :idea:

<{POST_SNAPBACK}>

Where is the (4. Run the Regedit exe and follow the instructions on the page) that you are talking above?. I am missing the reg valus. And the program SDA_ApplicationUnlock.exe is not working on WM5....

[Guest sidsmut]

Where is the (4. Run the Regedit exe and follow the instructions on the page) that you are talking above?. I am missing the reg valus. And the program SDA_ApplicationUnlock.exe is not working on WM5....

<{POST_SNAPBACK}>

If you follow the llink mentioned in step 1) it will give you a signed registry editor that works on the SP5 as well as the other two registry keys you need to change. Also I ran SDA_ApplicationUnlock.exe and it worked just fine for me. It is run on the ActiveSync host (i.e. the PC) and is NOT a WM5 executable.

Let me know if you are still stuck.

[Guest michehrlich]

This mostly worked for me, except that to install the certificate I followed:

http://support.microsoft.com/default.aspx?...kb;en-us;841060

(this article only mentions WM 2002 and WM 2003 but the engineer who sent me the link says it's been tested on WM 5.0, and indeed I can confirm that it works for WM 5.0. The only difference is that for 5.0 you need to first create a directory off the root called Storage, because that's where SPAddcert looks for the certificate on 5.0).

Anyway, I now have air sync with Exchange -- it DOES work!

Next thing will be to get e-mails pushed to my phone as soon as they arrive in my Exchange mailbox -- any ideas, anyone?

[Guest Newchurch]

Next thing will be to get e-mails pushed to my phone as soon as they arrive in my Exchange mailbox -- any ideas, anyone?

<{POST_SNAPBACK}>

Maybe this blogcast can help you (sorry, it´s German :) ).

Greetings Peter

[Guest michehrlich]

Maybe this blogcast can help you (sorry, it´s German  :) ).

Greetings Peter

<{POST_SNAPBACK}>

Thanks Peter! I checked that out -- you can read my reply on that blog.

Here's a rough translation:

Very helpful!

A couple questions:

- How did you get MSFP? From everying I have seen online, it's not available yet.

- Unless I missed something, this is not about real Push, but just sync. Real push is: when an e-mail lands in my Exchange inbox, it immediately gets pushed to my phone without waiting for the next scheduled sync.

Or did I miss something? Don't mean to complain, just trying to get to a real Push situation!

- Michel

[Guest willcheng]

Hi there,

I've got a MDA Vario from T-Mobile (same as HTC Wizard, 02 XDA mini S or i-mate K-Jam) As far as I can tell I've followed the exact steps that have been laid out in the original post and also followed the "How to add root certificates to Windows Mobile..." - everything seems fine until I try to install the cert using SpAddCert.exe - I still get an error saying "This is not a valid certificate file...etc.etc."

I'm thinking maybe I've not edited the registry correctly. Here's what I've done:

1. Using PHM Registry Editor I navigate to HKLM\Security\Policies\Policies\

2. Then I've changed 00001001 to 1, 00001005 to 40 and 00001017 to 144

In previous post it says "change 00001017 (4119) to 144". The only thing that I can't see in PHM regedit is "(4119)". I only see 2 columns - Name (e.g. 00001017) and Data(e.g. 144 (0X000090)). Am I doing this step incorrectly?

Don't know if you can help - I'm pulling my hair out ;)

[Guest rsearley]

On the imate website is a utility called: i-mate™ SP5m Certificate Installer

i am guessing they have one for the SP5.. the utility is described as follows:

Use this application to enroll root certificates in your SP5m. These certificates can be used for authentication in SSL connections for Outlook Email, Web Sites, etc The Certificate must be available as a binary .cer file.

could you not have used this?????

[Guest michehrlich]

On the imate website is a utility called:  i-mate™ SP5m Certificate Installer

i am guessing they have one for the SP5..  the utility is described as follows:

Use this application to enroll root certificates in your SP5m. These certificates can be used for authentication in SSL connections for Outlook Email, Web Sites, etc The Certificate must be available as a binary .cer file.

could you not have used this?????

<{POST_SNAPBACK}>

I used this on my SP5, and it worked like a charm. However, when I tried it on my colleague's QTEK 8310 (which is exactly the same HTC phone as the SP5 and which I bought because pdashop.nl was out of SP5s), I got a screen that said that this certificate installer is for i-mate phones only. So I had also assumed that it could work on all, or at least many HTC devices, but that was not correct.

So I did the following, and it worked:

A. Make sure you have the following:

- the certificate

- smartphoneaddcert.exe

- RegeditSTG.zip

- SDA_ApplicationUnlock

B. Then do this (with your phone connected to PC via ActiveSync throughout the process):

- Copy the file RegeditSTG.zip to the phone; then extract it on the phone (it won't copy over as an exe file; must be copied first as zip, then extracted).

- Then using RegeditSTG find the key HKLM\Security\Policies\Policies\00001017 and change value from 128 to 144

- Then run SDA_ApplicationUnlock on your PC. This should unlock the phone. If you try it without the registry change, it will not succeed in unlocking the phone.

- Create a folder called "Storage" in the root directory of the phone (this is where SPAddCert will look for the certificate; if it's not there, it won't be found)

- Copy the certificate there

- Unzip smartphoneaddcert.exe on your PC, which produces a number of files; just copy the file "SpAddCert.exe" onto the phone.

- Run the SpAddCert on the phone. It will find the certificate in the "Storage" folder you have created and will offer to add it. Complete the wizard.

- Re-start the phone.

[Guest michehrlich]

Hi there,

I've got a MDA Vario from T-Mobile (same as HTC Wizard, 02 XDA mini S or i-mate K-Jam)  As far as I can tell I've followed the exact steps that have been laid out in the original post and also followed the "How to add root certificates to Windows Mobile..." - everything seems fine until I try to install the cert using SpAddCert.exe - I still get an error saying "This is not a valid certificate file...etc.etc."

I'm thinking maybe I've not edited the registry correctly.  Here's what I've done:

1. Using PHM Registry Editor I navigate to HKLM\Security\Policies\Policies\

2. Then I've changed 00001001 to 1, 00001005 to 40 and 00001017 to 144

In previous post it says "change 00001017 (4119) to 144".  The only thing that I can't see in PHM regedit is "(4119)".  I only see 2 columns - Name (e.g. 00001017) and Data(e.g. 144 (0X000090)).  Am I doing this step incorrectly?

Don't know if you can help - I'm pulling my hair out ;)

<{POST_SNAPBACK}>

Willcheng, see my reply to rsearly -- there is a possible solution for you there. I'm also attaching a zip file (UnlockAndAddCert.zip) containing the three tools I mention in A (not the certificate, obviously).

UnlockAndAddCert.zip

[Guest willcheng]

Willcheng, see my reply to rsearly -- there is a possible solution for you there. I'm also attaching a zip file (UnlockAndAddCert.zip) containing the three tools I mention in A (not the certificate, obviously).

<{POST_SNAPBACK}>

Hi michehrlich, Thanks for your help. It seems like your version of regiditSTG is a little different to mine. I've attached the one that I've been using. The difference seems to be that I can only edit the data value in binary format. Unless I'm using the app incorrectly - can you give me some tips on how to navigate to HKLM\Security\Policies\Policies\ using your version of regeditSTG.

Incidently I tried not editing the registry and then using the SDA_ApplicationUnlock.exe and the application still says that the phone has been "successfully unlocked, please reboot" - so I'm not really sure if the application unlock has worked - is there any way of checking.

Anyway - I've followed the steps but the Certificate is still seen as invalid.programs.zip

I'm persevering :?:

Will

[Guest michehrlich]

Hi michehrlich,  Thanks for your help.  It seems like your version of regiditSTG is a little different to mine.  I've attached the one that I've been using.  The difference seems to be that I can only edit the data value in binary format.  Unless I'm using the app incorrectly - can you give me some tips on how to navigate to HKLM\Security\Policies\Policies\  using your version of regeditSTG. 

<{POST_SNAPBACK}>

Unfortunately I'm not quite sure how to communicate that to you since I don't know how to do screenshots -- it's just normal navigation to the correct key and to go into it and change the value (or to go into the value and change the value -- as you can see I'm not even sure what is a key and what is a value and I did it anyway!) and change the number by moving the joystick to the right, which adds 1 to the number each time, until you reach the number you need. Remember that you need to be doing this ON the phone. I should add that I have only ever done this on an i-mate SP5 and a Qtek 8310; I can't speak for other devices.

Incidently I tried not editing the registry and then using the SDA_ApplicationUnlock.exe and the application still says that the phone has been "successfully unlocked, please reboot" - so I'm not really sure if the application unlock has worked - is there any way of checking.

<{POST_SNAPBACK}>

What happens for me if I DON'T change the registry is that when I run SDA_ApplicationUnlock, I get a screen warning that "the phone is locked, do you want to proceed?" (or something like that) and if I click yes, it does indeed tell me that the phone has been successfully unlocked, but it's not true. After I do the registry change and run SDA again, I don't get the screen warning that the phone is locked; it just goes straight to the success screen, and then it's true.

[Guest dm.wood]

Hi michehrlich,  Thanks for your help.  It seems like your version of regiditSTG is a little different to mine.  I've attached the one that I've been using.  The difference seems to be that I can only edit the data value in binary format.  Unless I'm using the app incorrectly - can you give me some tips on how to navigate to HKLM\Security\Policies\Policies\  using your version of regeditSTG. 

Incidently I tried not editing the registry and then using the SDA_ApplicationUnlock.exe and the application still says that the phone has been "successfully unlocked, please reboot" - so I'm not really sure if the application unlock has worked - is there any way of checking.

Anyway - I've followed the steps but the Certificate is still seen as invalid.programs.zip

I'm persevering :?:

Will

<{POST_SNAPBACK}>

I have a Qtek 8310 and I am using it successfuly to Synchronise with my Exchange 2003 mail server.

I also used PHM Registry Editor to navigate to HKLM\Security\Policies\Policies\

Then I changed 00001001 to 1, 00001005 to 40 and 00001017 to 144 as well

Make sure you are viewing the key values in decimal not hex.

The one thing I did not do was use the SPAddCert application you mention.

I manually installed root Cert from on my Qtek. I just copied it across to a temp folder that I created and installed it by selecting it in file explorer. I did have to application unlock the phone first though using the SDA_ApplicationUnlock.exe

The Cert I used was issued from my own internal MS CA server as well, it was not a commercial cert.

My root cert is now listed in the Certificates section on the phone and Exchange Activesync works a treat. ;)

Edited January 5, 2006 by dm.wood

[Guest willcheng]

Unfortunately I'm not quite sure how to communicate that to you since I don't know how to do screenshots -- it's just normal navigation to the correct key and to go into it and change the value (or to go into the value and change the value -- as you can see I'm not even sure what is a key and what is a value and I did it anyway!) and change the number by moving the joystick to the right, which adds 1 to the number each time, until you reach the number you need. Remember that you need to be doing this ON the phone. I should add that I have only ever done this on an i-mate SP5 and a Qtek 8310; I can't speak for other devices.

What happens for me if I DON'T change the registry is that when I run SDA_ApplicationUnlock, I get a screen warning that "the phone is locked, do you want to proceed?" (or something like that) and if I click yes, it does indeed tell me that the phone has been successfully unlocked, but it's not true. After I do the registry change and run SDA again, I don't get the screen warning that the phone is locked; it just goes straight to the success screen, and then it's true.

<{POST_SNAPBACK}>

Thanks for this - I'm probably doing some of the steps wrong - I'll have another go.

I don't think this could be an issue with my device - I think it is a WM5 issue so hopefully if it works on your QTeks then it should work on my MDA Vario (which is a Qtek 9100).

Btw - Did you have a look at the version of regedit that I attached?

[Guest dm.wood]

Thanks for this - I'm probably doing some of the steps wrong - I'll have another go.

I don't think this could be an issue with my device - I think it is a WM5 issue so hopefully if it works on your QTeks then it should work on my MDA Vario (which is a Qtek 9100).

Btw - Did you have a look at the version of regedit that I attached?

<{POST_SNAPBACK}>

PHM Registry editor that you attached is the same one that I used. Whats the Numlocker.exe for? ..I havent seen that application before.

[Guest willcheng]

Hmmm strange...

1. I've managed to navigate to the right keys and change the values.

2. I then run SDA_ApplicationUnlock.exe (I've attached the screenshots for this: ss.zip)

3. I've then rebooted the device went back into regedit to check the values and for some strange reason they have gone back to the original values.

If I don't run SDA_ApplicationUnlock.exe the values stay changed.

Everytime I run SDA_ApplicationUnlock.exe the values change back to the original factory settings.

(Wish I could take SS of my device)

[Guest willcheng]

PHM Registry editor that you attached is the same one that I used. Whats the Numlocker.exe for? ..I havent seen that application before.

<{POST_SNAPBACK}>

I'm not sure what the numlocker does - I downloaded the regedit off a site and it all came in a zip file. I've not used it.

[Guest dm.wood]

Hmmm strange...

1. I've managed to navigate to the right keys and change the values.

2. I then run SDA_ApplicationUnlock.exe  (I've attached the screenshots for this: ss.zip)

3. I've then rebooted the device went back into regedit to check the values and for some strange reason they have gone back to the original values.

If I don't run SDA_ApplicationUnlock.exe the values stay changed.

Everytime I run SDA_ApplicationUnlock.exe the values change back to the original factory settings.

(Wish I could take SS of my device)

<{POST_SNAPBACK}>

Hmmm....After you have run the SDA_ApplicationUnlock.exe... if you change the registy values do they stay? I think you may need to change the values after unlocking the device ;)

[Guest willcheng]

Hmmm....After you have run the SDA_ApplicationUnlock.exe... if you change the registy values do they stay? I think you may need to change the values after unlocking the device ;)

<{POST_SNAPBACK}>

Either way I still can't install the certificate. I think you need to make the registry changes first in order for SDA_ApplicationUnlock.exe to work anyway. :D

I've had a chat with T-Mobile and they say that the only lock on my phone is the sim lock (which I managed to unlock anyway) - I might have to try and talk to them again.

It's SDA_ApplicationUnlock.exe that is changing the values. And for some strange reason it's changing the values to 16.

Weird.

(Why O why has M$ not got a fix for this.... Why why why!!)

[Guest cbch]

I was able to add my own certificate to my c600 by changing the value of following registry entry on the device:

HKLM\Security\Policies\Policies\00001017 from 128 to 144.

I also changed 00001001 to 1 and 00001005 to 40 but i dont think that helped.

Restart the device.

Export the desired certificate as a binary encoded (DER) certificate (.cer).

Copy the .cer file to the device.

Open the .cer file on the device via file explorer.

So I now have the certificate listed in the root certificate list, but when I use ActivSync with my exchange server I get an error that says "The security certifcate on the server is invalid. Contact your Exchange Server administrator or ISP to install a valid certificate on the server."

Great ;) Any ideas? Certificates are def. listed

[Guest dm.wood]

I was able to add my own certificate to my c600 by changing the value of following registry entry on the device:

HKLM\Security\Policies\Policies\00001017          from 128 to 144.

I also changed  00001001 to 1  and  00001005 to 40  but i dont think that helped.

Restart the device.

Export the desired certificate as a binary encoded (DER) certificate (.cer).

Copy the .cer file to the device.

Open the .cer file on the device via file explorer.

So I now have the certificate listed in the root certificate list, but when I use ActivSync with my exchange server I get an error that says "The security certifcate on the server is invalid. Contact your Exchange Server administrator or ISP to install a valid certificate on the server."

Great  :D  Any ideas? Certificates are def. listed

<{POST_SNAPBACK}>

Ok the thing you have to be carefull with is that the exported root cert "issued to" name matches the name of the address (url) you are trying to connect to with the SPV c600, using GPRS.

In my case i am using a dynamic IP (I dont use a domain name) so the root cert "issued to" name name has to be my external IP.

If you are connecting to "your_external_domain.com" but the certificate you created on your CA server and then copied to your SPV has the "issued to" name as "internal_domain.com" the connection will fail.

You must also make sure the the Exhchange Web components on IIS are using the same Cert to provide an SSL connection. Again in my case the SSL certficate is installed under the "Default web site" in IIS as this is where the Exchange web components are installed.

Hope this helps !! ;)

[Guest hasbull_88]

help me....

i had extract regedit.zip file...

then,what should i do next?open or run?

when i open the file,its show other registry not regedit...

when i run the file,it want me to put "command" and "parameters"

:??:

[Guest wbremner]

Ok the thing you have to be carefull with is that the exported root cert "issued to" name matches the name of the address (url) you are trying to connect to with the SPV c600, using GPRS.

In my case i am using a dynamic IP (I dont use a domain name) so the root cert "issued to" name name has to be my external IP.

If you are connecting to "your_external_domain.com" but the certificate you created on your CA server and then copied to your SPV has the "issued to" name as "internal_domain.com" the connection will fail.

You must also make sure the the Exhchange Web components on IIS are using the same Cert to provide an SSL connection. Again in my case the SSL certficate is installed under the "Default web site" in IIS as this is where the Exchange web components are installed.

Hope this helps !!  :)

<{POST_SNAPBACK}>

Thanks - that's helpful. So the "issued to" name is just the IP address if you are using dynamic IP?

[Guest dm.wood]

Thanks - that's helpful. So the "issued to" name is just the IP address if you are using dynamic IP?

<{POST_SNAPBACK}>

That's correct let me know if have any further questions :)